Revision as of 19:50, 14 November 2006

Brief Summary

In this paragraph we describe how to test an application for OS commandind testing: this means try to inject an on command throughout an HTTP request to the application.

Short Description of the Issue

OS Commanding is a technique used via a web interface in order to execute OS commands on the web server.

The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit. With the ability to execute OS commands, the user can upload malicious programs or even obtain passwords. OS commanding is preventable when security is emphasized during the design and development of applications.

Gray Box testing

Sanitization
The URL and form data needs to be sanitized for invalid characters. A “blacklist” of characters is an option but it may be difficult to think of all of the characters to validate against. Also there may be some that were not discovered as of yet. A “whitelist” containing only allowable characters should be created to validate the user input. Characters that were missed as well as undiscovered threats should be eliminated by this list.Permissions
The web application and its components should be running under strict permissions that do not allow operating system command execution.